 All right, I got under pf sense video for you guys I've had a few people ask me saying can you do a video on? Specifically the port forwarding and actually this is a common question. I do it all the time So it's I run through it kind of quick and I think I went through it kind of quick and some of the other ones now Not just port forwarding it. I'll show you port forwarding and This is a my lab that I've got set up here And I've got it set up with two wands failover and two separate networks now It gets a little bit confusing when you're doing that because people think when you make the net rule for something to pass through That it just carries over but it doesn't net rules have to be implicitly bound to each one so we're gonna run through and pretend just doing port 80 basic web server and We'll show you how to map the portrait or we've got no rules no visibility into my network And we're gonna open up the firewall and we're gonna use my computer Now if you didn't notice we jump back real here to the beginning is This is a 192 168 111 network We have a 192 168 2 network and a 192 168 3 network So we've got you know three different networks my particular computers IP address is 192 dot 168 dot 1 dot 9 So we'll go over here to firewall and we're gonna start with that Then we're gonna add a rule Now when you're building that rules it by default will land on the WAN interface You can't have them land on the land interface You can't have them do on I just called it WAN 2, but you could have called it whatever Sometimes for some clients when we're setting up a WAN failover we'll rename them one will call one ISP And we'll call the other one the other ISP for example Comcast could be one I one of the WAN interfaces and the other one can be called AT&T helps us identify them when we're looking at Them because you may not remember by the IP address. Well, anyways because this is my lab We just call them WAN 1 and WAN 2 keep it simple. So first we know what interface to snap rule is applying to Then we know is it a TCP UDP or TCP UDP port We're just gonna leave a TCP because we're doing our pretend web server now I can pull from the list and put WWW But I just I know the port so I type them in port 80 now the target IP is the IP We want to land on landing on this computers. We're setting up our pretend web server on this. So a Target IP is you know, whatever the web server is internally The external IP is the WAN address now. There are some advanced options where you can get in there You can filter for certain IP addresses by default. We're gonna leave this wide open let anything come here But you can specify for example The incoming traffic that only this port is only visible by this one other computer And you do that sometimes if you have two different sites set up and just one more Procautionary step you want I'm filtering all traffic unless it comes from that IP of course some IPs can be spoof But it's one more little layer you can add on there. Now you can type in any custom port range But the other thing here the reason there's a to and from on here But on the other side only one port is because whatever you set the beginning if I set this one to be 100 I still leave this one at 80 because what it's doing is Port 80 is here. So this is the beginning port. So I don't have to like do dash 100 or anything It will automatically forward all the next ports. Now if I started that this one at 100 It would actually forward from 100 to 120 all those ports in there because there's a 20 port range So that's why you don't need that because if I people ask, okay, you know How does that work if I want to have a range of ports forwarded? So we're just gonna leave them 80 80 And this was our WAN WWW server Now net reflection use system default if you're not familiar with what net reflection is This is a really handy thing. I've showed you in some of the other pf sense videos yet by default turn this on and Also add associated filter rule both of those leave at the fault when that Reflection doesn't there's not much of a reason to turn this off for example Let's say you have a DVR and you have an external IP address or maybe a URL set up for that DVR so you can do severe cameras But when you're on your internal network, you're trying to view that DVR, but it's local to you That's what net reflection does it says wait a minute You're inside this network, but you're trying to get to it from the outside But we we understand that so we're gonna reflect it back inward without actually going out But that way you can leave one URL you can leave the public IP in your settings While still having network so that's what the net reflection is so leaving all that on is fine You can also create the rules disabled if you need to Then you can end do them later You can also do some inverted options and things like that So it kind of depends if you want to do all those kind of really detailed filtering on this And of course the added for those associated filter rule is first you have to have a NAT Translation which says this external IP lands this to this internal IP But then there has to be an associated firewall rule to actually allow the passing of traffic and it does that by default So there's that one on the WAN address now. We're gonna add another one essentially the same thing again here But we're choosing WAN to that's our failover one So this is our WAN to WWW All the same rules apply and this is how you map if you have a failover address now How that works in practice is a little bit different because we're gonna apply the changes here You're not making your web server redundant per se because what you've done is you have two separate networks because This is WAN to network and this is WAN one network So you have to only point them at one of them and you have to make if one of these goes down Which you still want people to get to your web server You still need to Re-change a DNS setting to point it to the other side now where there's redundancy and this works as we've helped people with mail servers behind there So if you have a mail server you can add to your MX records a lower priority MX So you will pick one to be the primary one to be the secondary But this is all you have to do to map this across there is Add one mapping for each one so interface when one WAN to and when we look at the rules for the firewall You can see net WW server for the WAN and then the WAN to yet another one on here now Let's actually show you this working and run a little test here All right, so we're gonna run net cat dash L. We're gonna listen on port 80 over here now this particular computer called the box actually has its Two network cards and with two network cards it can go to each one of those IP address It has a network card that's in each of these networks It's all part of my lab setup So the first IP address we'll go to is the one here. So we'll Tell not 2.33 port 80 And we see over here. We see hello and it hello comes across. So we're able to port through on that one So we'll close that and we'll open up this again Listen on port 80 and now we're going to do the other IP address and it's in the three network three dot two five one 80 Hi from WAN one So you can see this works. It's really simple to do But some people do get confused I think you can only make one net rule and because these are together now because they have separate IP addresses There's not a way just to make one net rule and have them just work together I actually think there's a way in pfSense. You may be able to alias them together as one But reality is you want to map the rules and you also have to think do you need to wrap the rules? When we set these up for some clients other than having an internal mail server and MX records for fail over Having the web server because you have to go in and make a DNS change And have a secondary DNS for them to flow through on there It may not be the most practical setup for you because it doesn't really work in the way some people think Oh, if I have two ISPs, it just doubles my bandwidth No, because you circuits need a single IP address to go through so it doesn't double your bandwidth This is more for failover purposes I mean there are routing things you can do where you can push some over other traffic and create rules to create You know where this data goes over this circuit and that data is this or that's a different topic And it can help your speed But this is just to show you really quickly how to do that and If you happen to have more than one WAN address for every WAN address you have now Even if those are a group of IPs assigned to you for example We buy a block of IP of five IPs. It's the same thing you have to create a rule for each IP address and a Nat rule for them so they have so it flows through so that's just a quick overview of how that works Hopefully it answers anybody who had questions on this if you have some comments or questions or need another tutorial on this Leave some comments below and I'll work on that one. Thanks. Oh, if you like the content here like and subscribe